Enhance Authentik role in noble cluster setup by adding support for resolving OAuth2 flow, signing key, and scope mapping UUIDs from the worker database, improving API access under 2026+ RBAC. Update README with troubleshooting steps for common OAuth2 provider issues and adjust default variables for better configuration management. Ensure seamless integration with oauth2-proxy by allowing unverified email handling in development environments.

2026-05-14 14:26:43 -04:00
parent c392ce1e5a
commit 5e5c6ef671
24 changed files with 868 additions and 99 deletions
--- a/ansible/roles/talos_phase_a/tasks/apply_talos_node_config.yml
+++ b/ansible/roles/talos_phase_a/tasks/apply_talos_node_config.yml
@@ -0,0 +1,69 @@
+---
+# Included once per **talos_node** (see **main.yml**). When the cluster probe used **joined** mode,
+# a straggler may still expose the maintenance API cert (**x509: certificate signed by unknown authority**);
+# we retry that node with **--insecure** so apply-config can complete.
+
+- name: Apply machine config (full cluster maintenance — insecure)
+  ansible.builtin.command:
+    argv:
+      - talosctl
+      - apply-config
+      - --insecure
+      - -n
+      - "{{ talos_node.ip }}"
+      - --file
+      - "{{ noble_talos_dir }}/out/{{ talos_node.machine }}"
+  when: noble_talos_apply_insecure | bool
+  changed_when: true
+
+- name: Apply machine config (joined cluster — TLS with per-node maintenance fallback)
+  when: not (noble_talos_apply_insecure | bool)
+  block:
+    - name: Reset CA mismatch flag for this node
+      ansible.builtin.set_fact:
+        noble_talos_apply_node_ca_mismatch: false
+
+    - name: Try TLS (TALOSCONFIG / cluster CA)
+      ansible.builtin.command:
+        argv:
+          - talosctl
+          - apply-config
+          - -n
+          - "{{ talos_node.ip }}"
+          - --file
+          - "{{ noble_talos_dir }}/out/{{ talos_node.machine }}"
+      environment:
+        TALOSCONFIG: "{{ noble_talos_dir }}/out/talosconfig"
+      changed_when: true
+
+  rescue:
+    - name: Detect Talos API still on maintenance / unknown CA (straggler vs first node)
+      ansible.builtin.set_fact:
+        noble_talos_apply_node_ca_mismatch: >-
+          {{
+            ('unknown authority' in (ansible_failed_result.stderr | default('')))
+            or ('certificate signed by unknown authority' in (ansible_failed_result.stderr | default('')))
+            or ('authentication handshake failed' in (ansible_failed_result.stderr | default('')))
+          }}
+
+    - name: Apply machine config with --insecure (node not yet trusting cluster CA)
+      ansible.builtin.command:
+        argv:
+          - talosctl
+          - apply-config
+          - --insecure
+          - -n
+          - "{{ talos_node.ip }}"
+          - --file
+          - "{{ noble_talos_dir }}/out/{{ talos_node.machine }}"
+      when: noble_talos_apply_node_ca_mismatch | bool
+      register: noble_talos_apply_node_insecure_cmd
+      changed_when: true
+      failed_when: noble_talos_apply_node_insecure_cmd.rc != 0
+
+    - name: Fail when apply-config failed for reasons other than unknown CA
+      ansible.builtin.fail:
+        msg: >-
+          talosctl apply-config failed on {{ talos_node.ip }} (TLS, no insecure fallback):
+          {{ ansible_failed_result.stderr | default('no stderr') }}
+      when: not (noble_talos_apply_node_ca_mismatch | bool)
--- a/ansible/roles/talos_phase_a/tasks/main.yml
+++ b/ansible/roles/talos_phase_a/tasks/main.yml
@@ -114,38 +114,12 @@
      apply-config: {{ 'maintenance (--insecure)' if noble_talos_apply_insecure | bool else 'joined (TALOSCONFIG)' }}
      (noble_talos_apply_mode={{ noble_talos_apply_mode | default('auto') }})

- name: Apply machine config to each node (first install — insecure)
-  ansible.builtin.command:
-    argv:
-      - talosctl
-      - apply-config
-      - --insecure
-      - -n
-      - "{{ item.ip }}"
-      - --file
-      - "{{ noble_talos_dir }}/out/{{ item.machine }}"
+- name: Apply machine config to each Talos node (TLS or insecure; per-node CA fallback when joined)
+  ansible.builtin.include_tasks: apply_talos_node_config.yml
  loop: "{{ noble_talos_nodes }}"
  loop_control:
-    label: "{{ item.ip }}"
-  when: noble_talos_apply_insecure | bool
-  changed_when: true
-
- name: Apply machine config to each node (cluster already has TLS — no insecure)
-  ansible.builtin.command:
-    argv:
-      - talosctl
-      - apply-config
-      - -n
-      - "{{ item.ip }}"
-      - --file
-      - "{{ noble_talos_dir }}/out/{{ item.machine }}"
-  environment:
-    TALOSCONFIG: "{{ noble_talos_dir }}/out/talosconfig"
-  loop: "{{ noble_talos_nodes }}"
-  loop_control:
-    label: "{{ item.ip }}"
-  when: not (noble_talos_apply_insecure | bool)
-  changed_when: true
+    label: "{{ talos_node.ip }}"
+    loop_var: talos_node

 # apply-config triggers reboots; apid on :50000 must accept connections before talosctl bootstrap / kubeconfig.
 - name: Wait for Talos machine API (apid) on bootstrap node